8

I am attempting to use PAM to use a different password for sudo than I do for logging in.

I worked off of this post originally

Set sudo password differently from login one

Unfortunately, every time I do this I end up with an authentication error and I'm not sure what is going wrong. Perhaps I am hashing my password incorrectly or adding to the database incorrectly but I am unsure of what the problem is.

The configuration for sudo reads

session required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
auth required pam_userdb.so crypt=crypt db=/var/local/sudopass/passwd.db
\#@include common-auth
@include common-account
@include common-session-noninteractive

I set the password using passwd -m des password for testing purposes and then use db5.3 to create the database passwd.db

db5.3_load -h /var/local/sudopass -t hash -T passwd.db

my_username

73o8ECeyEW3Y2 (password hash)

And then authentication error. Note, when I place this database in say my home directory, then PAM can't even find the database no matter how I set the permissions.)

Current auth.log dump

I'm having problems getting it to give me the authentication error but here is the current problem in auth.log Oct 18 12:07:43 az-GlAdOS-mk11-m sudo: pam_userdb(sudo:auth): Verify user az' with a password

Oct 18 12:07:43 az-GlAdOS-mk11-m sudo: pam_userdb(sudo:auth): user_lookup: could not open database `/var/local/sudopass/passwd.db': No such file or directory

Oct 18 12:07:43 az-GlAdOS-mk11-m sudo: az : PAM authentication error: Error in service module ; TTY=pts/4 ; PWD=/home/az ; USER=root ; COMMAND=/bin/nano /etc/pam.d/sudo`

asked Oct 12, 2018 at 14:16
4
  • It would work fine. I could leave the sudo group blank and only have a root password but 1) I don't like being logged in as root when I need to only perform one or two commands 2) Greater risk 3) I'm trying to master the use of PAM modules/authentication Commented Oct 12, 2018 at 15:27
  • What do you see in the system logs? Commented Oct 17, 2018 at 23:01
  • Last time I tried and looked it just threw an authentication error Commented Oct 17, 2018 at 23:08
  • Add a debug option to the pam_userdb.so line to get more information in the system logs. Commented Oct 18, 2018 at 5:02

2 Answers 2

6
+50

You could use the targetpw option in sudoers, which would make sudo ask not for your own password, but for the password of the user you want to execute the command as (which in most cases is root). You can then use different passwords for your own user and the root user account.

Use the following snippet in your sudoers file to globally enable this behavior (edit it with visudo):

Defaults targetpw
ALL ALL=(ALL) ALL

The second line means that every user on the system may use sudo if they know the password of the target user. If you omit it, membership of the configured group and the target's password are both required. (Note that you can circumvent the group requirement if you have access to su, as it does not honor this configuration.)

You can also use one of the following two variants, which will only apply the targetpw directive to a specific user or group, respectively:

Defaults:username targetpw
username ALL=(ALL) ALL
Defaults:%groupname targetpw
%groupname ALL=(ALL) ALL

(Do not specify ALL ALL=(ALL) ALL if you use one of these!)

answered Oct 22, 2018 at 13:00
2

The guide you linked to is from 5 years ago. PAM doesn't use DES anymore. Try using this to generate your password hash:

echo pass|mkpasswd -s -m sha-512
answered Oct 18, 2018 at 18:19

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.